Exporting the Name Resolution Policy Table (NRPT)

Anyone using Microsoft DirectAccess for remote connectivity is making use of something called the Name Resolution Policy Table (NRPT). This NRPT is a client-side table of settings that essentially tells the DirectAccess client what namespaces to resolve inside the DirectAccess tunnels, and which namespaces to exclude from those DA tunnels. The NRPT is kind of like a glorified HOSTS file, helping to direct DNS lookups.

If your organization’s internal DNS suffix is different than your external/public DNS (such as company.local), then your NRPT likely consists of only a handful of entries. This is easy to manage, and easily duplicable in the event that you need to rebuild a DirectAccess environment or migrate over to a new DA system.

When using split brain DNS (where your internal and external DNS suffixes are the same), your NRPT may have dozens, if not hundreds, of entries.

In order to see what your NRPT looks like, log into your DirectAccess server and open up the Remote Access Management Console. Inside the Configuration section, click the Edit… button next to Step 3. Once inside this mini-wizard, click Next once to bring yourself to the “DNS” screen inside of the Step 3 wizard. It should look something like this:

The initial configuration of the NRPT isn’t very difficult, and is outside the scope of this article. What we are here to discuss today is the fact that, as you can see, there is no “export” button on this screen from which to make yourself a backup copy of these settings. A backup of the settings on this screen could be useful for safekeeping (documenting of your DirectAccess environment), and it could be even more valuable in the event that you need to re-create this list in the future, on a different DirectAccess server.

I work on a lot of projects where we are migrating a company’s DirectAccess users from one DA server to another. Sometimes this is to upgrade to a newer operating system on the DA server. More often it is because we are migrating the DA infrastructure from one datacenter to another, or even just from one ISP to another. Any of these scenarios is best served by a “lift and shift”, bringing up a new DirectAccess infrastructure and then swinging your user population from old to new.

If you find yourself in that scenario, one of the biggest headaches for recreating your DA environment on the new server is re-typing in all of these NRPT entries. There is no export function, and no import function. So most commonly you find yourself a computer with dual monitors so that you can bring the old DA server up on one screen, and manually go through every entry one by one to input them into the new system.

While there is no automated way to import a whole list of NRPT entries, having a cleanly formatted export of all the records in this list would be greatly helpful. One way to grab this information is by using the following netshell command on one of your DirectAccess CLIENT computers:

netsh name show policy

This command will spit out all of the records inside your NRPT, but in a very messy and unfriendly format, as seen here:

That is pretty much unusable, and you might as well go back to the one-by-one method of copying them from the old DirectAccess server’s config screens. Thankfully, there is an easier way to export all of your NRPT information! Even better is that you can do this right from the DirectAccess server itself. Open up a PowerShell prompt, and give the following a try:

Get-DAClientDnsConfiguration

As you can see, using this command displays all of the NRPT information for the DirectAccess environment in a much nicer and more friendly layout. This can then be printed, documented, or whatever else you would like to do with it in order to make new DirectAccess configurations easier and faster.